MATEUSZ "J00RU" JURCZYK

The 16-bit Windows Metafile (WMF) image file format has been present in the Microsoft software ecosystem since 1990. It remained a fundamental format until 1993, when 32-bit Enhanced Metafiles (EMF) were introduced in the Win32 GDI, eliminating many of the original format's limitations and significantly extending it. Since then, another derivative format called EMF+ was added in Windows XP, but all of them have been in decline for the last 15 years, in favor of other raster image representations such as BMP, JPEG, PNG or even TIFF.

However, it would be wrong to believe that Metafiles completely went away into oblivion and are no longer a valid attack vector or something to take interest in as a security engineer. They are still supported by Internet Explorer, are the native image storage format in Microsoft Office, and play an essential role in Print Spooling. For these reasons, the metafile formats (but especially EMF) should not be forgotten, and their most widespread implementations in GDI and GDI+ kept at a high quality level.

Internally, metafiles are collections of records instructing the parser which GDI (or GDI+, in case of EMF+) API functions to call, and what parameters to pass to them. In other words, images encoded as metafiles can be thought of as simple GDI-only programs. For any bughunter aware of the complexities of the interface, this sounds like a dream: so many corner cases and conditions to validate against that it's very unlikely for any implementation to get it completely right. One such commonly known bug was the WMF SetAbortProc vulnerability discovered on December 27, 2005, which took advantage of a documented feature to overwrite a GDI function pointer with the address of attacker-controlled data and have it called, effectively resulting in a reliable arbitrary code execution.

Have GDI and other relevant libraries been thoroughly audited since that incident? Are there any more such critical bugs lurking in the code bases? To what extent can EMF files interact with the operating system? The goal of this talk is to address these questions by discussing the results of my recent research in this area, including detailed analysis of the discovery and exploitation of multiple amusing security flaws, many of which are still not patched at the time of this writing.

MATEUSZ "J00RU" JURCZYK BIO

Mateusz is the vice-captain of the Dragon Sector CTF team and a big fan of memory corruption. His main areas of interest are client software security, vulnerability exploitation and mitigation techniques, and delving into the darkest corners of low-level kernel internals with a very strong emphasis on Microsoft Windows. He currently works as a security engineer within the Project Zero team at Google.

WANQIAO ZHANG & QING YANG

Forcing A Targeted LTE Cellphone Into An Unsafe Network

LTE is a more advanced mobile network but not absolutely secure. Recently there already some papers those exposed the vulnerabilities of LTE network. In this presentation, we will introduce one method which jointly exploits the vulnerabilities in tracking area update procedure, attach procedure, and RRC redirection procedure, and finally can force a targeted LTE cellphone to downgrade into a malicious GSM network, then consequently can eavesdrop its data traffic or even voice call.

This attack is not a simple DoS attack. It can select the targeted cellphone by filtering the IMSI number (IMSI catcher function), so it will not influence the other cellphones and keep them still in the real network. Further more, it can force the cellphone into the malicious network that we setup (a fake network) or we assign (operator’s network), therefore the cellphone has no chance to choose other secure network. This is the danger point of this attack.

WANQIAO ZHANG & QING YANG BIO

Wanqiao Zhang is a master who graduated form NUAA last year. She is enthusiastic about security of radio transmission and cellular network. Meanwhile, she is a speaker of DefCon. This year she will give a presentation about LTE redirection on DefCon.

YANG Qing is the team leader of Unicorn Team in Qihoo 360 Technology Co. Ltd. He has rich experiences in wireless and hardware security area, including WiFi penetration testing, cellular network interception, IC card cracking etc. His interests also cover embedded system hacking, firmware reversing, automotive security, and software radio. He is the first one who reported the vulnerabilities of WiFi system and RF IC card system used in Beijing subway.

ZDI TEAM

$hell on Earth: From Browser to System Compromise

The winning submissions to Pwn2Own 2016 provided unprecedented insight into the state of the art in software exploitation. Every successful submission provided remote code execution as the super user (SYSTEM/root) via the browser or a default browser plugin. In most cases, these privileges were attained by exploiting the Microsoft Windows or Apple OS X kernel. Kernel exploitation using the browser as an initial vector was a rare sight in previous contests.

This presentation will detail the eight winning browser to super user exploitation chains (21 total vulnerabilities) demonstrated at this year’s Pwn2Own contest. We will cover topics such as modern browser exploitation, the complexity of kernel Use-After-Free exploitation, and the simplicity of exploiting logic errors and directory traversals in the kernel. We will analyze all attack vectors, root causes, exploitation techniques, and possible remediations for the vulnerabilities presented.

Reducing attack surfaces with application sandboxing is a step in the right direction, but the attack surface remains expansive and sandboxes are clearly still just a speed bump on the road to complete compromise. Kernel exploitation is clearly a problem which has not disappeared and is possibly on the rise. If you're like us, you can't get enough of it; it's shell on earth.

ZDI TEAM BIO

Matt Molinyawe Trend Micro - Zero Day Initiative

Matt Molinyawe is a vulnerability analyst and exploit developer for the Zero Day Initiative (ZDI) program. In this role, Molinyawe analyzes and performs root-cause analysis on hundreds of vulnerabilities submitted to the Zero Day Initiative (ZDI) program, which represents the world's largest vendor-agnostic bug bounty program. His focus includes vulnerability research along with analyzing and performing root-cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. He has presented at numerous security conferences including DEF CON, RuxCon, Power of Community, and PacSec. Prior to joining ZDI, Matt worked as a reverse engineer for General Dynamics Advanced Information Systems and a software engineer for both USAA and L3 Communications. In 2014, Matt was part of the ZDI team that exploited Internet Explorer 11 on Windows 8.1 x64 during the Pwn4Fun event at CanSecWest, which helped raise over $80K for charity. In his spare time, he was also a 2005 and 2007 US Finalist as a Scratch DJ. Matt has a B.S. in Computer Science from the University of Texas at Austin. Twitter: @djmanilaice

Jasiel Spelman Trend Micro - Zero Day Initiative

Jasiel Spelman is a vulnerability analyst and exploit developer for the Zero Day Initiative (ZDI) program. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability, followed by developing exploits for accepted cases. Prior to being part of ZDI, Jasiel was a member of the Digital Vaccine team where he wrote exploits for ZDI submissions, and helped develop the ReputationDV service from TippingPoint. Jasiel's focus started off in the networking world but then shifted to development until transitioning to security. He has a BA in Computer Science from the University of Texas at Austin. Twitter: @WanderingGlitch

Abdul-Aziz Hariri Trend Micro - Zero Day Initiative

Abdul-Aziz Hariri is a security researcher with the Zero Day Initiative program. In this role, Hariri analyzes and performs root-cause analysis on hundreds of vulnerabilities submitted to the Zero Day Initiative (ZDI) program, which is the world's largest vendor-agnostic bug bounty program. His focus includes performing root-cause analysis, fuzzing and exploit development. Prior to joining ZDI, Hariri worked as an independent security researcher and threat analyst for Morgan Stanley emergency response team. During his time as an independent researcher, he was profiled by Wired magazine in their 2012 article, Portrait of a Full-Time Bug Hunter. In 2015, Abdul was part of the research team that submitted "Breaking Silent Mitigations - Gaining code execution on Isolated Heap and MemoryProtection hardened Internet Explorer" to the Microsoft bounty program. Their submission netted the highest payout to date from the Microsoft bounty program where the proceeds went to many STEM organizations. Twitter: @abdhariri

TARJEI "KERNELPOOL" MANDT

Demystifying the Secure Enclave Processor

The secure enclave processor (SEP) was introduced by Apple as part of the A7 SOC with the release of the iPhone 5S, most notably to support their fingerprint technology, Touch ID. SEP is designed as a security circuit configured to perform secure services for the rest of the SOC, with with no direct access from the main processor. In fact, the secure enclave processor runs it own fully functional operating system - dubbed SEPOS - with its own kernel, drivers, services, and applications. This isolated hardware design prevents an attacker from easily recovering sensitive data (such as fingerprint information and cryptographic keys) from an otherwise fully compromised device.

Despite almost three years have passed since its inception, little is still known about the inner workings of the SEP and its applications. The lack of public scrutiny in this space has consequently led to a number of misconceptions and false claims about the SEP.

In this presentation, we aim to shed some light on the secure enclave processor and SEPOS. In particular, we look at the hardware design and boot process of the secure enclave processor, as well as the SEPOS architecture itself. We also detail how the iOS kernel and the SEP exchange data using an elaborate mailbox mechanism, and how this data is handled by SEPOS and relayed to its services and applications. Last, but not least, we evaluate the SEP attack surface and highlight some of the findings of our research, including potential attack vectors.

TARJEI "KERNELPOOL" MANDT BIO

Tarjei Mandt (@kernelpool) is a senior security researcher at Azimuth Security. He holds a Master's degree in Information Security from GUC (Norway) and has spoken at security conferences such as Black Hat USA, CanSecWest, INFILTRATE, RECon, SyScan, and Hack in the Box. In his free time, he enjoys spending countless hours challenging security mechanisms and researching intricate issues in low-level system components. Previously, he has discovered several Windows kernel vulnerabilities, and spoken on topics such as kernel pool exploitation and user-mode callback attacks. More recently, he has focused on Apple technology and presented on various security flaws and weaknesses in Mac OS X and iOS.

PATRICK WARDLE

Strolling into Ring-0 via I/O Kit Drivers

Due to recent macOS security enhancements such as system integrity protection and signed driver requirements, having root is not what it once was :( Now, in order to fully own a Mac, one generally needs ring-0 code execution.

Not to worry though, there are seem to be many kernel-level vulnerabilities in both Apple and 3rd party drivers! This talk will provide a practical ‘how to’ on reversing engineering I/O Kit drivers in order to search for such bugs. Starting with I/O Kit basics, the talk will then illustratively walk thru the discovery of a (now-patched) 0day which was found during the audit of a common 3rd-party I/O kit driver.

Specifically, we’ll first explore how to reverse-engineer the target I/O Kit driver and its interfaces in order to ‘connect’ to the driver. Then, how to identify and audit the methods where user input is processed in ring-0. Finally details of the subtle bug and control of $RIP will be discussed. A few tangential topics will be explored along the way, such as macOS kernel debugging, macOS specific anti-debugging mechanisms (employed by the 3rd-party product), and the discovery of a core macOS kernel implementation bug that initially prevented the exploitation the I/O Kit driver bug.

Thru this talk, attendees will gain (or enhance) both knowledge and foundations of macOS kernel and I/O Kit reversing. Armed with this know-how, no I/O Kit driver will remain safe :)

PATRICK WARDLE BIO

Patrick Wardle is the Director of Research at Synack, where he leads cyber R&D efforts. Having worked at NASA, the NSA, and Vulnerability Research Labs (VRL), he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick’s focus is on automated vulnerability discovery, and the emerging threats of OS X and mobile malware. In his personal time, Patrick collects OS X malware and writes free OS X security tools. Both can be found on his website; www.Objective-See.com

PETER HLAVATY & JIN LONG

Rainbow Over the Windows: More Colors Than You Could Expect

As time goes on operating systems keep evolving, like Microsoft Windows do, it ships new designs, features and codes from time to time. However sometimes it also ships more than bit of codes for complex subsystems residing in its kernel ... and at some future point it starts implementing new designs to prevent unnecessary access to it. However is it safe enough?

As we can see from security bulletins, win32k subsystem attracts lots of attention. It looks that with efforts of many security researchers who has dug into this area, finding bugs here shall becomes pretty tough and almost fruitless. But unfortunately this is not true, as win32k is backed up by very complex logic and large amount of code by nature..

We will present our point of view to Windows graphic subsystem, as well as schema of our fuzzing strategies. We will introduce some unusual areas of win32k, its extensions and how it can breaks even locked environments.

Part of our talk will be dedicated to CVE-2016-0176, the bug we used for this year's Pwn2Own Edge sandbox bypass, from its discovery to its exploitation techniques, which could serves as an example for universal DirectX escape which is independent of graphics vendors.

PETER HLAVATY & JIN LONG BIO

Peter (@zer0mem)

Peter is a Lead for Windows Kernel Research at Keen Lab of Tencent (originally known as KEEN Team). With primary focus on vulnerability discovery and novel exploitation techniques dev. Presenting his research on various conferences such as Recon, Syscan, ZeroNights, NoSuchCon and others. Prior to Keen, Peter was AV (ESET) guy, with 4+ years of experience in that field switched to offensive software security research focused on windows and linux kernel architectures. Pwnie nominee and pwn2own 2015 & 2016(MoP) winner, member of GeeKon committee and GeekPwn judge, occasionally CTF player. Besides software security field, doing his best as wushu player as well.

Daniel (Jin Long 金龙) @long123king

Tencent Keen Security Lab researcher, 6 years programming experience, 4 years security experience. Former TrendMicro employee, now focused on Windows security research at Keen Security Lab. Pwn2Own 2016 winner (Master of Pwn by final Edge to SYSTEM escape).

BRIAN GORENC

Hacker-Machine Interface - State of the Union for SCADA HMI Vulnerabilities

Over the last year, synchronised and coordinated attacks against critical infrastructure have taken center stage. Remote cyber intrusions at three Ukrainian regional electric power distribution companies in December 2015 left approximately 225,000 customers without power. Malware, like BlackEnergy, is being specially developed to target supervisory control and data acquisition (SCADA) systems. Specifically, adversaries are focusing their efforts on obtaining access to the human-machine interface (HMI) solutions that act as the main hub for managing the operation of the control system. Vulnerabilities in these SCADA HMI solutions are, and will continue to be, highly valuable as we usher in this new era of software exploitation.

This talk covers an in-depth analysis performed on a corpus of 200+ confirmed SCADA HMI vulnerabilities. It details out the popular vulnerability types discovered in HMI solutions developed by the biggest SCADA vendors, including Schneider Electric, Siemens, General Electric, and Advantech. It studies the weaknesses in the technologies used to develop HMI solutions and describes how critical vulnerabilities manifest in the underlying code. The talk will compare the time-to-patch performance of various SCADA vendors along with a comparison of the SCADA industry to the rest of the software industry. Finally, using the data presented, additional guidance will be provided to SCADA researchers along with a prediction on what we expect next in attacks that leverage SCADA HMI vulnerabilities.

BRIAN GORENC BIO

Brian Gorenc is the senior manager of Vulnerability Research with Trend Micro. In this role, Gorenc leads the Zero Day Initiative (ZDI) program, which represents the world’s largest vendor-agnostic bug bounty program. His focus includes analyzing and performing root-cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. The ZDI works to expose and remediate weaknesses in the world’s most popular software. Brian is also responsible for organizing the ever-popular Pwn2Own hacking competitions.

QIANG LI & ZHIBIN HU

Breaking out of QEMU

QEMU is a fundamental part of modern open source virtualization solution, especially in KVM and Xen. The most important function of QEMU is device emulation. QEMU can emulate a lot of peripheral device of the computer such as mouse, network card, SCSI host controller and USB host controller. The soft emulation can bring a lot of security issues. As the QEMU can emulate a very wide range of device, theses security issues can be leveraged to break out QEMU easily.

This talk will present how to break out of QEMU with two vulnerabilities. This covers the overview of QEMU mostly focus on Device Model of QEMU and it's attack surface, the data flow from a virtual machine to host machine, the common type of vulnerabilities in QEMU such as UAF, infinite loop, some of these is interesting. Finally, this talk will illustrate how to leverage CVE-2016-2857 and another heap overflow to implement a VM escape fully bypass ASLR/DEP.

QIANG LI & ZHIBIN HU BIO

Qiang Li is a security researcher at Qihoo 360, mainly focus on vulnerability discovery and vulnerability analysis. He has been a low level system programmer for several years both on Windows and Linux. He is very interested in system low-level programming and want to know the secret under the surface of virtualization. He is currently working on cloud and virtualization security and discovered a lot of QEMU vulnerabilities this year.

ZhiBinHu is a security researcher of Qihoo 360, last several years mainly focus on vulnerability discovery and analysis on windows, and receive msrc top 19 in 2015. Recent two years interested in cloud security.

WEI WANG & ZHAOWEI WANG

Make iOS App more Robust and Security through Fuzzing

In this presentation, first we will introduce the status of iOS App security development lifecycle. Then, we will explain why we should use AFL to fuzz iOS App and 3rd party iOS libraries. In order to do fuzzing on iOS, we will show the steps of porting AFL to iOS. After porting AFL to iOS, we will demonstrate how to do fuzzing on iOS or OS X. Finally, we will show the vulnerabilities fuzzed out.

WEI WANG & ZHAOWEI WANG BIO

Wei Wang

Wei Wang is senior security researcher of Qihoo 360 Nirvan Team. He is focusing on the security of Apple’s products, including the os, developer toolchain, and fundamental frameworks, and has found many vulnerabilities. He also has 6+ years long experience in software development and software architecture, so he is also good at developing security tools. Twitter: @ProteasWang

Zhaowei Wang

Zhaowei Wang is senior security researcher in Qihoo 360 Nirvan Team. He is interested in reverse engineering and exploitation development, sometimes a CTF player. Recently, he is focusing on vulnerability research and exploitation techniques on Mac OS X and iOS.

VITALY NIKOLENKO

Exploiting COF Vulnerabilities In The Linux Kernel

Most memory corruption vulnerabilities affecting user-space processes are also prevalent in kernel space. Due to the missing kernel-space memory corruption mitigations, exploitation of these kernel-space vulnerabilities is often more trivial than exploiting the same class of vulnerabilities in user space.

There are several new kernel sanitisers such as KASAN, KTSAN and KUBSAN, including the original kmemcheck and SLAB poisoning, that aid in detection of common memory corruption vulnerabilities. Combined with a fuzzing tool, these techniques speed up the discovery process of common vulnerability classes.

Counter overflow (COF) vulnerabilities, on the other hand, are not easily detectable using these approaches and common fuzzing techniques. Furthermore, once identified, they are often not trivial to exploit. In this presentation, we will demonstrate recent real-life COF examples and walk through the exploitation techniques associated with some corner-cases in COF and use-after-free (UAF) vulnerabilities.

We will conclude this presentation with a discussion of our current research: a static-analysis framework designed to automatically identify counter overflows as well as some other UAF vulnerabilities in the Linux kernel.

VITALY NIKOLENKO BIO

Vitaly is a security researcher specialising in reverse engineering and exploit development. He has a solid academic background in programming languages, algorithms and cryptography. He is currently focused on OS security (kernel space exploitation techniques and countermeasures on POSIX systems) and software hypervisors.

EMMANUEL LAW

PHP Internals: Exploit Dev Edition

This talk will give a tour about PHP Internals. It'll take the audience on a journey from the design behind a custom PHP fuzzer, to how PHP internal heap can be exploited. It will also cover some of the changes in PHP 7 Internals and what that means from an exploit dev perspective. A sample of interesting and unusual PHP bugs that I had discovered will also be presented. I hope to be able to share what had worked for me and what are some of the lessons I've learnt throughout this journey.

EMMANUEL LAW BIO

Emmanuel Law (@libnex) is a Principal Security Consultant from Aura Information Security. He works as a penetration tester during the day. By night he can be found fuzzing and exploiting binaries. Recently he has a new found hobby in hacking away at PHP internals.

BRIAN CANDLISH & CHRISTIAN TEUTENBERG

Active Incident Response

During the Pacnet breach in 2015, we developed a method which differs from the usual IR process for targeted attacks, utilising what we have termed ‘Full Spectrum Visibility' and ‘Targeted Containment’, which form like Voltron to create ‘Active Incident Response’. This method, utilising threat intelligence, hunting and active defense gives incident responders the information the business needs to assess risk, and another avenue for actions to mitigate that risk

We will demonstrate, using examples from the Pacnet breach and follow-on waves, how ‘Targeted Containment’ can be used during incident response, the visibility required, and explore actor TTP’s, tools and activity associated with this campaign

Expect to see pcap decodes, command-line activity and actor typo’s

BRIAN CANDLISH & CHRISTIAN TEUTENBERG BIO

Brian is a Chief Security Researcher for Australia's largest telecommunications company, who spends his days and nights making the internet a safer place. His interests in information security include attack and detection techniques, intelligence and “active defence”. He enjoys hunting adversaries on large corporate networks.

Christian is a Senior Security Specialist for Australia’s largest telecommunications provider. He specialises in hunting for evidence of breach with endpoint, network and log data. He has over a decade of experience in information security, with a background focusing on intrusion detection, incident response and computer forensics for the enterprise.

MATTHIAS DEEG & GERHARD KLOSTERMEIER

Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets

Wireless desktop sets consisting of a wireless mouse, a wireless keyboard, and a USB dongle have become more popular and more widespread in the last couple of years. Seen as potential target, those radio-based devices are of more interest to people with malicious intentions than their wired counterparts, due to the fact that they can also be attacked remotely from a safe distance via radio signals.

As wireless desktop sets represent an attractive target both allowing to take control of a computer system and to gain knowledge of sensitive data like passwords, they have been frequently analyzed for security vulnerabilities and were successfully attacked in the past. One well-know example for exploiting vulnerabilities in wireless keyboards is the open source wireless keyboard sniffer KeyKeriki by Dreamlab Technologies, the first version of which was presented back in 2009 for Microsoft keyboards using the 27 MHz ISM band. The second version of which also supported wireless keyboards using the 2.4 GHz ISM band and was presented in 2010. In 2015, Samy Kamkar published an Arduino-based wireless keyboard sniffer for Microsoft keyboards with known security weaknesses that extended the work of the KeyKeriki v2.0 project and of Travis Goodspeed's research concerning Nordic Semiconductor's transceiver family nRF24. And in spring 2016, a collection of security vulnerabilities found in USB dongles of wireless desktop sets of different manufacturers was released by Bastille Networks Internet Security under the name of MouseJack which allowed keystroke injection attacks.

SySS GmbH started a research project about the security of modern wireless desktop sets using AES encryption in 2015, as there was no publicly available data concerning security issues in current wireless mice and keyboards. Up to now (May 2016), several security vulnerabilities in modern wireless desktop sets of different manufacturers like Microsoft, Cherry, Logitech, and Perixx have been found and reported in the course of our responsible disclosure program.

The found security vulnerabilities can be exploited within different attack scenarios from different attacker's perspectives. On the one hand, there are security issues which require one-time physical access to a keyboard or a USB dongle, for example to extract cryptographic keys which can be used in further attacks or to manipulate the firmware. On the other hand, there are security issues that can be exploited remotely via radio communication, for example replay or keystroke injection attacks due to insecure implementations of the AES encrypted data communication.

The results of our research show that the security levels of modern wireless desktop sets of different manufacturers are not equal and that some devices are more secure than others. Still, there was no wireless desktop set without any security issues.

In our talk, we will present the results of this research and will demonstrate ways in which modern wireless desktop sets of several manufacturers can be attacked by practically exploiting different security vulnerabilities.

MATTHIAS DEEG & GERHARD KLOSTERMEIER BIO

Matthias is interested in information technology – especially IT security – since his early days and has a great interest in seeing whether security assumptions in soft-, firm- or hardware hold true when taking a closer look. Matthias successfully studied computer science at the university of Ulm and holds the following IT security certifications: CISSP, CISA, OSCP, OSCE.

Since 2007 he works as IT security consultant for the IT security company SySS GmbH and is also leader of R&D.

Matthias was speaker at the Chaos Communication Congress in 2009 and 2010 (lightning talks and a workshop), at the BSidesVienna security conference in 2014 and 2015 (talks) and at the DeepSec security conference in 2015 (talk). In the last years, he also published several IT security papers and security advisories.

Gerhard is interested in all things concerning IT security – especially when it comes to hardware or radio protocols. He successfully studied IT security at Aalen University and is working at SySS GmbH since 2014 as IT security consultant and penetration tester.

Gerhard was speaker at GPN 2013 – a conference organized by the Chaos Computer Club (CCC) in Karlsruhe – where he talked about hacking RFID-based student cards. He is also author of the Mifare Classic Tool Android app.

TWEEK

Firmware Biopsy: Towards Taming The Lunacy

Firmware attacks initially came to public attention when Snowden’s leaks demonstrated the extent of nation-state capabilities. More recently, commercial groups such as Hacking Team were found to provide similar services, including reflashing the BIOS to install persistent remote access tools.

Although the cost of developing and deploying firmware implants remains high, they have become a viable target for attackers with sufficient resources. Not only can firmware compromises provide long-term persistent access they also have a lower chance of detection by the defenders, mainly because of limited knowledge and the scarcity of tools available in the security community.

This talk will present some of the work done at Google to advance the current state of firmware collection and verification for laptops, desktops and servers. We will discuss the approaches we are taking, some of the techniques we use for verification and the software we are publishing to help other organisations do this at scale.

TWEEK BIO

tweek is a Security Engineer at Google, Sydney.

WANDERINGGLITCH

Leaking Windows Kernel Pointers

As part of reversing win32k.sys to understand the User-Mode Callback mechanism, I found several kernel information leaks. As it turns out, there were several situations where the kernel was readily returning kernel pointers to user land. This talk will be a brief introduction into how user-mode callbacks operate, a description of the information leaks vulnerability and how prevalent they are, and then a detailed description of how to take advantage of CVE-2015-0094 and CVE-2015-1680.

WANDERINGGLITCH BIO

Jasiel Spelman is a vulnerability analyst and exploit developer for the Zero Day Initiative (ZDI) program. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability, followed by developing exploits for accepted cases. Prior to being part of ZDI, Jasiel was a member of the Digital Vaccine team where he wrote exploits for ZDI submissions, and helped develop the ReputationDV service from TippingPoint. Jasiel's focus started off in the networking world but then shifted to development until transitioning to security. He has a BA in Computer Science from the University of Texas at Austin.

ALEX HUDE & MAX BAZALIY

FRAPL - Next Generation Reverse Engineering Framework

These days in reverse engineering there are two ways to make an analysis - static and dynamic. The problem of static analysis tools is that they are unable to show you the execution context which includes CPU registers, stack, memory states. On the other hand, dynamic tools like debuggers are based on debug API and can be detected by the target application, so researcher must defeat all anti-debugger tricks first in order to debug something. Dynamic code instrumentation frameworks like Frida tends to take the best from the debuggers simultaneously solving some of their downsides. However, researcher has to write a lot of initial code either for client and for agent script. Also lack of interactivity as an absence of code and data structures visualisation and navigation, inability to name functions, comment your work or get context-aware disassembly listing make these tools hard to use as well.

This talk is about FRAPL - reverse engineering framework created to simplify dynamic instrumentation with Frida. The core of FRAPL is FridaLink - protocol and IDA plugin for establishing a bridge between Frida client and IDA Pro. It brings runtime information to IDA disassembly and allows monitoring dynamic changes by controlling Frida directly from IDA. FRAPL requires just three simple steps to actually start reverse engineering. Without a single line of code. This is a new way of combining static and dynamic analysis.

ALEX HUDE & MAX BAZALIY BIO

Alexander Hude (@getorix) is a software and hardware reverse engineer with 13 years of experience in mobile technologies and consumer electronics. Started with WindowsMobile/PocketPC applications in 2003, these days he is focused on macOS/iOS security, vulnerabilities, proprietary protocols and embedded firmware research. Alexander holds an Engineering degree in Computer Science and currently works at Blackmagic Design.

Max is a Staff Security Engineer at Lookout who has more than ten years experience in areas as mobile security, security protocols design and analysis, mobile security research, tools and techniques development for vulnerability assessment and post-exploitation, reverse engineering mobile\desktop platforms and penetration testing.Prior to joining Lookout Max was working on code obfuscation and software protection solutions, as well as penetration testing of commercial software protection products. In the past years, Max was a speaker on various security and engineering conferences, including Defcon, UIKonf, Mobile Optimized, Mobile Central Europe, Mobius and UAMobile. Max holds a Masters degree in Computer Science and currently is PhD student at the National Technical University of Ukraine “Kyiv Polytechnic Institute” where he’s working on dissertation in code obfuscation and privacy area.

JAMES FORSHAW

Documented to Fail

API documentation is supposed to be an example of clear and precise information so that developers can write effective applications and avoid security pitfalls. Of course certainly when it comes to Windows this isn’t always the case. This presentation will go into some issues I’ve discovered over my years of research which show clear lack of precise security documentation, leading to vulnerable conditions. The API documentation can also be a useful source of assumptions about the behaviour of a system which can be used to develop testing strategies.

This presentation should be interest to attendees who in particular have to develop applications on Microsoft platforms as well as security researchers who like interesting logical vulnerabilities. Not all the bugs are fixed, they continue to be issues with the documentation which will come back to haunt developers for many years to come.

JAMES FORSHAW BIO

James is a security researcher in Google’s Project Zero. He has been involved with computer hardware and software security for over 10 years looking at a range of different platforms and applications. With a great interest in logical vulnerabilities he has numerous disclosures in a wide range of products from web browsers to virtual machine breakouts as well as being a Pwn2Own and Microsoft Mitigation Bypass bounty winner. He has spoken at a number of security conferences including Black Hat USA, CanSecWest, Bluehat, HITB, and Infiltrate.

ROB FULLER

Writing Malware While The Blue Team Is Staring At You

Malware authors and reverse engineers have been playing cat and mouse for a number of years now when it comes to writing and reversing of malware. From nation state level malware to the mass malware that infects grandmas and grandpas, mothers and fathers, the different types of malware employ a myriad of techniques to stop those who look at it from guessing the true intent. This talk will be about some of the unorthodox methods employed by some malware to stay hidden from, or out right ignore the reverse engineering community.

ROB FULLER BIO

Rob has over 11 years of experience covering all facets of information security. He has been behind the lines helping to design, build, and defend the US Marine Corps, US Senate, and Pentagon networks - as well as performing penetration tests and Red Team assessments against those same networks. More recently, Rob has performed numerous successful Red Team assessments against commercial Fortune 50 companies representing some of the best defensive teams in the industry.

Rob’s experience and expertise ranges from embedded and wireless devices in industrial control system networks to standard corporate IT infrastructures and domains. He is a frequent speaker at a number of well-known security conferences, including ShmooCon, DefCon, DerbyCon, CarolinaCon, Area41, RVASec, and HackCon; and teaches both the Metasploit Basics and Mastery classes at BlackHat USA. He has also served as a technical advisor for HBO’s show Silicon Valley and hosts his own show called Metasploit Minute on Hak5's channel (Discovery Digital).

Rob has acquired a number of certifications and awards over the years, but the ones he holds above the rest are father, husband, and United States Marine.

SEAN PARK

Fighting Metamorphism using Deep Neural Network with Fourier

The crux of on-time malware detection failure after decades of malware battle is primarily due to the diversity of the malicious code, which is achieved through metamorphism. Metamorphism is pandemic in modern malware threat landscape and mess up traditional automatic pattern recognition methods. Recently deep learning has been applied to detect malware using raw binary features. However this long-lasting metamorphism messes up input distributions causing trouble to classification based models.

This talk will provide a novel method that a proficient reverse engineer (as opposed to a data scientist) designed to cluster malware families, using deep neural network of semantic hashing. In addition, it will show how to create pattern-invariant signals in the presence of diverse metamorphic techniques, using one of the greatest scientific works in human history, Fourier transform. The efficacy of the model will be demonstrated against popular malware families that spread this year.

SEAN PARK BIO

Sean Park is a senior malware scientist at TrendMicro, researching on various one-to-many detection methodologies such as autonomous malware campaign analysis system using machine learning. He is currently working on unsupervised malware outbreak clustering and next generation machine learning project to detect zero-day malware.

RON GULA

Measuring Risk

Ron Gula will discuss the various technical models used to measure how defense in depth is working or is not working and discuss the pros and cons of each. Topics include attack path analysis, enrichment of vulnerabilities with threat feeds through automated measurement of compliance.

RON GULA BIO

Reformed penetration tester, now security entrepreneur. Founded Tenable Network Security and creator of the Dragon IDS.

https://www.linkedin.com/in/rongula

DANIEL EDEN & ROSHAN MASKEY

You Just Got Popped.. That's Cool Bro, Your Friend the nightHawk Is Watching

Breaking into a network leaves a lot of artefacts.. Periodically sweeping your endpoints and storing that data can be invaluable.. Can you tell what’s different between today, yesterday and last week? Can you quickly scope your investigation in a matter of minutes and begin triaging? nightHawk Response can.

nightHawk Response is an open source platform we developed using Elasticsearch as a search engine, Redline/HX/MIR audits as a data source and GOlang as our backend parsing engine. It was thought up over a Saturday morning coffee when we realized there was no tool to help our colleague analysts perform incident response triage and hunting at scale. We give the user ability to stack certain audits, search keywords, timeline and tag. The platform is designed to scale effortlessly and with a bit of sysadmin magic you can audit your endpoints and servers on a daily basis, ingesting your collections and starting to baseline your business.

We want to show how detecting a breach in your network can be less painstaking as assumed, scoping the incident is done rapidly and kicking out the bad guys can be a bag of fun (or despair because you lost your IP..). Hunting down your adversary before they take your warez is the new big data/cloud/insert buzz word here.. Why not jump aboard the IR train and get a piece of the action..!

DANIEL EDEN & ROSHAN MASKEY BIO

Daniel and Roshan have been co-workers for many years, dating back to telecoms (NBNco) and a lengthy stint at a financial CSIRT (ANZ Bank). Daniel has recently joined Secureworks as a senior consultant. Both Daniel (GREM) and Roshan (GCFA/GCNA) are avid DFIR guys with focus on detecting and mitigating persistent attackers in enterprise.

STEPHEN KHO

On Her Majesty’s Secret Service – GRX and a Spy Agency

GPRS Roaming eXchange (GRX) has been in mainstream media recently as part of the high profile Edward Snowden revelations. The leaked documents indicated that the UK government’s intelligence organisation, Government Communications Headquarters’ (GCHQ) hacked the Belgian GRX provider, Belgacom International Carrier Services ( BICS). They did this by targeting the GRX provider’s employees with the ultimate aim of gaining access to Belgacom's Core GRX routers.

In this presentation, we will explore the architecture of the GRX network. present the protocols they use and give an understanding of the functionalities they provide in relation to a roaming mobile users on the 2G, 3G and in the future 4G network. We will show why GRX routers are interesting, particularly to spy agencies and other actors and what an attacker who has access to a GRX network can do and gain access to?

Allegedly, GCHQ hacked the GRX routers in order to carry out man-in-the middle “traffic sniffing” attacks against mobile users who are roaming with smartphones or other devices capable of handling data. How is this achieved? What are the required tools, attack techniques and network protocols that are involved when performing this type of attack? These are questions that will also be addressed during this talk.

GPRS Tunnelling Protocol (GTP) and Stream Control Transmission Protocol (SCTP) are the primary IP based protocol of the GPRS core network. During this talk, we will delve into these protocols to not only present the protocol layout and functionalities but also the common security weaknesses and misconfigurations that we came across during our testing.

GRX networks are typically isolated networks that are not reachable from the Internet. There are only about 25of them in existence and the general perception is that they are restricted access network which only established telecommunication operators can join. What does a typical GRX network look like? What sort of devices are connected to it and how well are they configured? Through our extended network scanning activities over a period of several months, these questions will be answered as we present details of our GRX network discovery and service enumeration. From the type and number of devices to details of security vulnerabilities and misconfigurations, you will get a glimpse of typical vulnerabilities that may be available to an attacker who has access to a GRX network. Lastly, we will share our views on some best practice and risk mitigation steps you can do carry out to secure and protect your GRX network devices.

STEPHEN KHO BIO

Stephen is currently the Managing Principal within HP Enterprise Consulting Services for the Australia, New Zealand and SE Asia regions where his team delivers professional services across several technologies and security capabilities including SIEM, data encryption, application security and Security Intelligence Operations (people & process).

He is a security professional with over 15 years of security industry experience across multiple business sectors including the financial and telecommunications. Specifically, he has extensive knowledge in the areas of security architecture, security assurance/vulnerability assessment & security technologies; arising from his network engineering, security consultancy and hands on penetration testing background.

JAMES LAIRD-WAH

Orbiting The Saturn: Investigating A Decades-Old DRM System

The Sega Saturn was one of the most over-engineered consoles of the 1990s. Despite its technical attributes, it was relatively unpopular, and so 20 years after its release its copy protection mechanisms were still not fully known.

This talk covers my own reverse engineering journey with this machine, starting with determining and documenting the protection mechanism pressed into the discs. This then leads into dumping the CD controller's ROM, searching for a bypass; and then, unexpectedly, to a system compromise via an add-on card slot intended for Video CD support. The end result is a USB-enabled card that removes the need for a CD drive entirely.

JAMES LAIRD-WAH BIO

James is a hardware/software hacker who has a penchant for reversing interesting and troublesome tech in his spare time. Whilst working on his doctorate in biomedical engineering, some frustrating Apple gear spurred him to pull it apart and release Shairport, an open Airplay receiver, in 2011. Meanwhile, a connection to the internationl chipmusic scene led him to develop Professor Abrasive's Drag'nDerp, a performance-grade flash cart for the Nintendo Game Boy. He has since completed his PhD and works as a cross-functional hacker at a neuromodulation company in Sydney. While his spare time is considerably diminished compared to his student days, he continues to build hardware and pick at tricky problems.

RICHARD JOHNSON

Fuzzflow Framework and Windows Guided Fuzzing

Fuzzflow is a distributed fuzzing management framework from Cisco Talos that offers virtual machine management, fuzzing job configuration, pluggable mutation engines, pre/post mutation scripting, and crash collection, and pluggable crash analysis. We have recently ported the code from crusty 90s era DHTML to a modern web application and opensourced it on GitHub! We will show off some of the workflow while discussing new mutation engine features driving the client side of the fuzzing system.

In the past year we have also added the Intel PT tracing mode as an engine for targeting Windows binaries in the widely used evolutionary fuzzer, American Fuzzy Lop. This fuzzer is capable of using random mutation fuzzing with a code coverage feedback loop to explore new areas. Using our new Intel PT driver for Windows, we provide the fastest hardware supported engine for targeting binaries with evolutionary fuzzing. We will discuss the design challenges involved with performantly harnessing Intel Processor Trace for fuzzing.

In addition, we have added new functionality to AFL for guided fuzzing, which allows users to specify targeted areas on a program control flow graph that are of interest. This can be combined with static analysis results or known-vulnerable locations to help automate the creation of trigger inputs to reproduce a vulnerability without the limits of symbolic execution. To keep performance as the highest priority, we have also created new methods for efficiently encoding weighted graphs into an efficiently comparable bytemap.

RICHARD JOHNSON BIO

Richard Johnson is a computer security specialist in the area of software vulnerability analysis. Currently the Manager of Vulnerability Development for Cisco Talos, Richard offers 12 years of expertise and leadership in the software security industry. Current responsibilities include research and development of advanced fuzzing and crash analysis technologies facilitating the automation of the vulnerability triage and discovery process. Richard has presented annually at top-tier industry conferences worldwide for over a decade and was co-founder of the Uninformed Journal.

TREVOR JAY

Turncoat! An Insider's Guide To Attacking Container Technology

Can't stand the smugness of VC-backed hipsters? Do you long to take out your anger by finding fresh vulnerabilities in Docker and related technologies? Haven't been able to find a good place to get started?

Trevor Jay is a security engineer for containers at Red Hat and a former pen-tester. Since the acceptance of docker containers into the Red Hat distribution, he has been present for every CVE review, and has witnessed or been involved in every major hardening and security effort. Sadly, this has left him little time to for the fun business of breaking things, so he's decided to share his experience in the hopes that others can find more interesting vulnerabilities.

This "casing study" will point out the most promising weak points in current container technologies. This will include a review of the most serious container CVE's to date, demonstrations of the most successful attacks, and an engineering analysis of the most vulnerable parts of the container stack.

Learn what kinds of attacks have been successful so far and what techniques look most promising.

TREVOR JAY BIO

Trevor Jay is a principal security engineer at Red Hat, where he is responsible for emerging technologies. Previously he has worked as a penetration engineer. His background is in software engineering for web-based autonomous robotics.

NA

NA

NA

NA BIO

NA

NATE ROGERS & BEN LELONEK

Make Event Tracing Great Again

Event Tracing for Windows (ETW) is nothing new. It's existed in all versions of Windows since Vista and has many detailed blog postings from Microsoft when it first came out (around 2009). It's also been used in a few instances of cyber security related research as well as tools ranging from malware research in Academia to abused Admin ("badmin") tools for red teams and penetration testers. In spite of all this, and for reasons we can't figure out, the real potential for ETW remains untapped for both offensive and defensive purposes in virtually all these previous applications.

This talk will show ETW's previous usage in both industry and academia but will focus on its underutilized potential. For the defensive, anti-malware side of the industry ETW has vast potential as new vector for data capture. It can capture ("trace" in ETW speak) events from every facet of a system, including the kernel, file I/O, memory allocation, network activity and .NET usage to name a few, all the while remaining relatively difficult (from malware's perspective) to detect as this mechanism is already native to modern versions of Windows. These events can be captured and parsed dynamically as well as aggregated and parsed later. This versatility allows ETW to provide an alternative mechanism for anti-malware tools but also has applications in sandboxing and automated malware analysis and research. For the anti-malware minded folks in the industry, ETW provides a valuable data source to pursue or aid in the pursuit of existing tools and research.

For the Red Teamers and Pen-Testers, ETW appears to have far more potential than what is currently being leveraged publicly in the community. While examples of cookie stealing and netflow exist this is just the tip of the iceberg. ETW provides thousands of types of events an attacker can potentially access giving him virtually any desired detail about the system. We'll discuss a few of these events in detail and give demos on how they can be abused. Lastly we will demonstrate their usage while highlighting the "stealth" of ETW and why it will be difficult for the AV industry to prevent abuse of ETW by attackers.

NATE ROGERS & BEN LELONEK BIO

Nate Rogers is the tech lead of the Security Research Team [SRT] at CyberPoint International. His research focuses on vulnerability research, fuzzing, analyzing high profile malware, dodging managerial responsibilities, and exploring the latest new attack vectors and ways to detect/mitigate them. Professionally, his experience covers the following areas: reverse engineering, malware analysis, infosec-related software development, and penetration testing. He loves tinkering in all areas infosec related and often spends his free time bug hunting or struggling at CTFs. He is currently a graduate student studying Cyber Security at NYU Poly.

Ben Lelonek is currently a member of the Security Research Team [SRT] at CyberPoint International. Most of his experience is in software development, primarily on tools for malware analysis. His research interests include automating malware analysis, honeypots, and the Internet of Things. He is currently a graduate student studying Computer Science at UMBC.

DANIEL GRZELAK & MIKE FULLER

AWS regrets: Gremlins in your Cloud Success

Amazon Web Services are made of win and awesome. The marketing really does ring true, even if your buzzword bingo count has to be a 64bit int so it doesn't overflow. It's trivial to setup a modern [buzzwords here] application in AWS and have it running smooth as silk. It's all sunshine and butterflies until you find out that thing you were meant to do, the cleanup you forgot, or the reasonable assumption that turned out to be unreasonable.

This presentation is about about the gremlins hiding in your "Cloud Success". Did you forget to delete that DNS entry after deleting your S3 bucket? Oh too bad, your subdomain belongs to Rick Astley. Think a third party has assumed a role in your account? Too bad it was only logged in the source account, not the destination. These are just a few of gremlins that you will learn about.

If you have an AWS deployment of any size, be prepared to send panicked questions to your system engineers. We certainly did (hi Mike).

DANIEL GRZELAK & MIKE FULLER BIO

Daniel is a 100% cyber-free Security Intelligence Manager at Atlassian. He files TPS reports so that his team can fight the good fight, detecting bad guys pwning the clouds. He once opened the AWS web console and is now totally an expert in hacking AWS.

Mike works as a Principal Systems Engineer at Atlassian. His job is to try and make sense of everything AWS - he hasn't told his boss that's not a thing yet. He is a bonafide Cloudy Cloud Ninja, having previously presented at AWS Re:Invent in Vegas and AWS Summit Sydney.